Your Website’s Privacy Policy: Why it Matters

Client Alerts · December 13, 2011

Be honest. Have you read your company’s online privacy policy lately? If you have, did you understand it?

If your answer to either of these questions is “no,” you’re flirting with trouble: trouble with your customers and clients who may be reluctant to engage with your company, its products, and its services, and trouble with federal and state governments that are increasing their oversight of privacy compliance in response to consumer concern. And the trouble will only multiply as you use social media to draw more and more users to your website.

What’s Wrong With Your Privacy Policy? There are two common problems with privacy policies. The first is that customers can’t understand them. In the words of one Federal Trade Commission staff lawyer, privacy policies are often a collection of “geek-speak and legal mumbo jumbo.”

A second problem is that businesses don’t abide by them. Too often, businesses simply copy privacy policies they find online, without ensuring that the policies reflect their actual data collection practices. Even policies that are accurate when adopted may become deceptive when technological advances change the way a site obtains information from its users.

Why Should You Care? Don’t fool yourself into thinking that, because privacy policies tend to use boilerplate language and appear as an insignificant link from the bottom of your home page, no one will read them or care about them. Surveys show that Americans overwhelmingly believe that their personal information, reputation, and privacy are at risk on the Internet. Where there is consumer concern, the government isn’t far behind.

Within the past two months, the FTC has entered into three wide-ranging consent agreements over online privacy practices. It asserted that Google had failed to come clean with users about its privacy settings on the Google Buzz social network platform, and it charged that Facebook changed its privacy policies without adequate disclosure and without obtaining the meaningful consent of its users.

How to Keep the FTC at Bay. Not everyone wants increased government intervention. But if individuals are to safeguard their privacy without the FTC’s involvement, they need clear, understandable information about how the data they provide online will be used. It’s your responsibility to your customers and clients to provide that information.

Don’t believe the lawyers who tell you that your privacy policy has to go on for pages and pages. At its essence, all it has to do is tell visitors to your website what information you collect, what you do with that information, how the user can opt out, and how to contact you with concerns. It should be clear, and it must be accurate.

For example, does your site use cookies? It’s not enough to tell users that you do; you must also inform them how the cookies can be blocked. The FTC recently rapped an online advertising network whose privacy policy said that users could block cookies by adjusting their browser settings. The problem was that the site, ScanScout, later started to use Flash cookies, which are stored in a different location on a user’s computer than HTML cookies, and cannot be blocked by the usual browser software controls.

Some Best Practices. The FTC’s consent order with ScanScout requires a number of measures that might well become “best practices” for the rest of the online world to follow:

First, and most obvious, tell the truth. Disclose the exact extent to which data about users and their online activities is collected, used, disclosed, and shared. Tell users, accurately, how they can control the collection or use of data about them, their computers, or their mobile devices.

Second, the FTC made ScanScout place a “clear and prominent” notice on its home page with a hyperlink stating, “We collect information about your activities on certain websites to send you targeted ads. To opt out of our targeted advertisements, click here.” No legalese there. Whatever your site’s practices, you should be equally clear. It’s not that hard.

Third, the site must contain a mechanism that allows users to prevent the company from collecting information about them, from automatically redirecting users’ browsers to third parties that collect data, and from associating with a user any data previously collected about them.